The watchdog’s report says the GAO “found that from 2012 to 2017, (Department of Defense) testers routinely found mission-critical cyber vulnerabilities in nearly all weapon systems that were under development.” During some of the tests, testers were able to hack into some of these complex weapons systems and take control over them “using relatively simple tools and techniques.”
“In one case, it took a two-person test team just one hour to gain initial access to a weapon system and one day to gain full control of the system they were testing,” the report said. In some cases, the “weapon systems used commercial or open source software, but did not change the default password when the software was installed, which allowed test teams to look up the password on the internet and gain administrator privileges.” One of the reasons that the weapons systems are so vulnerable to cyber-attack is their connectivity to other systems, something long seen by the Pentagon as an advantage. Weapons like the F-35 Joint Strike Fighter have been celebrated for their ability to connect to a range of other systems, allowing critical military information to be more easily shared. But the GAO’s reports says that connectivity makes weapons systems vulnerable as potential hackers would only need to penetrate one of the connected systems to potentially gain access to the others. “These connections help facilitate information exchanges that benefit weapon systems and their operators in many ways—such as command and control of the weapons, communications, and battle space awareness,” the reports says while adding “If attackers can access one of those systems, they may be able to reach any of the others through the connecting networks.” Pentagon spokesperson Maj. Audricia Harris told CNN that they “takes threats to our nation seriously.” “We are continuously strengthening our defensive posture through network hardening, improved cybersecurity, and working with our international allies and partners and our defense Industrial Base and defense Critical Infrastructure partners to secure critical information,” she said.
The revelation that so many Pentagon weapons systems are vulnerable to cyber-attacks raises questions about the billions of dollars the US has invested in its various programs. The report said that part of the problem was the fact that cyber-security has only recently been emphasized when developing requirements for these systems.
The report did say the Pentagon “is taking steps to improve its understanding of its weapon systems’ vulnerabilities, determine how to mitigate risks from those vulnerabilities, and inform future development of more secure systems,” but added that the Defense Department faced challenges with regard to boosting its defenses given the cost of recruiting and retaining talented cyber-security professionals and difficulties in sharing information. The Department of Defense recently released its cyber strategy which said the Pentagon is seeking to incorporate cyber-security awareness throughout the institutional culture of the department.